The ransomware has constantly changed since the beginning of the year, when researchers first spotted it, and nobody has been able to create a free decrypter until now.

Security provider Invincea provided the most recent change in Cerber’s mode of operation. The company said while it was analyzing a log file of Cerber’s latest infection techniques and thus trying to reproduce the infection chain, their analysts got a Cerber ransomware payload with a different file hash.

Retrying the infection chain after a few moments, the researchers got a third hash, and then a fourth hash, and so on. It didn’t take them long to figure out that Cerber’s C&C servers were churning out Cerber binaries with different file hashes every 15 seconds.

This was a sign the developers were employing a “malware factory,” an automated malware assembly line that puts together Cerber payloads but makes small modifications to the file’s internal structure in order to generate files with unique hashes.

A deeper look at the Cerber payloads showed a connection to a suspicious file sample first collected in September 2015, after the Neutrino exploit kit dropped the ransomware.